Octopus Deploy invites you to test and help secure our primary publicly facing assets - focusing first on our primary web application. We appreciate your efforts and hard work in making the internet (and Octopus Deploy) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program.
Good luck and happy hunting!
What you should know before you start
- Ensure that you use your @bugcrowdninja.com email address when you’re testing our assets, any use of other email addresses may be treated as malicious and blocked.
- Ensure that you understand the targets, scopes, exclusions, and rules below. Please feel free to reach out and ask questions to clarify. We want you to feel as confident as possible.
Ratings / Rewards:
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority. Please see below for any deviations from the standard VRT.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.